Installation of Wazuh in Ubuntu 24.04.2
Step-by-step tutorial on installing and configuring Wazuh for your SOC’s SIEM deployment and monitoring.
Introduction
Wazuh is an open-source solution that enables organizations and individuals to enhance their capabilities in threat prevention, detection, and response. It also integrates features of Extended Detection and Response (XDR) and Security Information and Event Management (SIEM), providing a comprehensive platform for real-time monitoring, threat analysis, and security event correlation.
You can deploy Wazuh in single mode (All-in-One) or multi-node (Distributed mode).
Also, Wazuh has two installation methods
This post will go with a single-mode deployment and an assisted installation method.
Prerequisites
Initial procedures to do before installation
You must confirm the server's DNS name if it suits you.
Run the below command to check your hostname
#hostname
To change the hostname, run the following command
#hostnamectl set-hostname
To make it permanent, changing /etc/hosts file is recommended to point to the correct hostname.
Run the below command to edit the file.
#nano /etc/hosts
Press Ctrl + X, Y, and Enter to save the file.
Now, move to update and upgrade the packages available on the server
Run the below command
#apt-get update && apt-get upgrade
Wazuh installation
Login to a server and become the sudo user (root).
In this step, we will download the installation assistance and configuration file
Run the below commands
#curl -sO https://packages.wazuh.com/4.12/wazuh-install.sh
#curl -sO https://packages.wazuh.com/4.12/config.yml
Now, we need to change the config.yml file to reflect the details we have in our server.
Run the below command to edit the configuration file
#nano config.yml
From the above file (config.yml), change the name and IP address to what you want, and put your server's IP address.
For example, I want to use an indexer name called “echo_indexer”, for Wazuh manager I will use “echo_wazuh”, and for the dashboard I will use “echo_dash”, and my IP address is 192.168.68.128.
Wazuh components installation
The next step is to run the Wazuh installation assistant script with the --generate-config-files option to generate Wazuh certificate, cluster key, and passwords, which are important files during the Wazuh installation. You can find those files in wazuh-install-files.tar
Run the below command to generate those files
#bash wazuh-install.sh --generate-config-files
Now, we are ready to proceed with the installation of Wazuh components (indexer, manager, filebeat, and dashboard)
Review the options we have by running the command below.
#bash wazuh-install.sh
You will find more options here. But for our case, we will go with the -a option, which will install and configure all Wazuh components.
Go and run the command below.
#bash wazuh-install.sh -a
It will start installing Wazuh indexer, Wazuh manager, and the dashboard. Keep your eye on the screen until you get the last output of the command. 
Copy those credentials somewhere else because we will use them to login.
Access your Wazuh dashboard.
Go into your favourite browser and try putting this URL https://
For my case, I will put https://192.168.68.128.
It will prompt you to a security concern about the certificate (Your connection is not private)
Click Advanced and click the link below it to proceed.
Now, use the credentials you have for the admin to log in to the Wazuh dashboard.
Congratulations, you have installed Wazuh on your server.
Now, we should plan the following things
- User and Access Management
- Backup and Recovery Strategy
What's Your Reaction?
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0
